Virus Name: Rodolf
Aliases: Rodolf.4096, Rodolf.4096.A
V Status: New
Discovery: July, 1995
Symptoms: .COM & .EXE growth; message displayed; system hangs;
decrease in total system & available free memory
Eff Length: 4,096 Bytes
Type Code: PRtAK - Parasitic Resident .COM & .EXE Infector
Detection Method: F-Prot, AVTK, VAlert, ViruScan, Sweep, IBMAV,
NAV, NAVDX, ChAV,
NShld, Sweep/N, NAV/N, AVTK/N, IBMAV/N, NProt, Innoc 4.0+
Removal Instructions: Delete infected files
The Rodolf virus was received in July, 1995. Its origin or point
of isolation is unknown. Rodolf is a memory resident infector of
.COM and .EXE files, including COMMAND.COM.
When the first Rodolf infected program is executed, this virus will
install itself memory resident at the top of system memory but below
the 640K DOS boundary, moving interrupt 12's return. Total system
and available free memory, as indicated by the DOS CHKDSK program
from DOS 5.0, will have decreased by 4,096 bytes. Interrupt 21 is
hooked by the virus in memory.
Once the Rodolf virus is memory resident, it will infect .COM and
.EXE programs, including COMMAND.COM, when they are executed. If
the program was previously infected by the virus, it will be
reinfected at this time. Programs infected with the Rodolf virus
will have a file length increase of 4,096 bytes for each infection
of the virus present on the file. The virus will be located at the
end of the file. The program's date and time in the DOS disk
directory listing will not be altered. The following text strings
are visible within the viral code:
"Rodolf virus Version 1.0"
"Hi hi ! I'm killing you !"
The last text string above will be the last two bytes in any
Occassionally, the Rodolf virus will display the second text string
above as a message in flashing yellow text with a blue background on
the system monitor when a program is executed. A system hang will
also occur at this time.
Known variant(s) of Rodolf are:
Rodolf.4096.B: Received in January, 1996, this is a 4,096 byte
variant which is functionally very similar to the Rodolf virus
described above. It contains the following unencrypted text
"Manu virus Version 1.0"
"Parity error 0000:F243"
The repeated text string "stack." occurrs many more times than
is indicated above. Like the original virus, this variant also
reinfects previously infected files.
Origin: Unknown January, 1996.